Avoiding subscribers affecting each other on a shared network or shared device is a major concern for service providers. The Zyxel XGS3600/MGS3600 series offers a complete set of security features to protect user data while administrating the traffics. Port security provides the ability to deny unauthorized users from accessing the network. Moreover, the 802.1X feature cooperating with RADIUS is useful to prevent unauthorized access based on username and password (or other credentials) and acts as powerful access control for converged networks with mixed wired and wireless access.
After reverse-engineering the mechanism behind these _encrypt_ values (tangent 1) and realizing that it is based on the supervisor password, I realized that we can let the device do the decryption for us. It turns out that exactly one of the _encrypt_ fields in the config file is readable and editable from the web interface!
Web Based Password Crack Zyxel
ZyXel does not publish the router firmware update binaries anymore via their website. However, I noticed it was using OpenWRT which uses the GPL license so I submitted a form and a few days later received the firmware source code and build instructions. Further review of the code showed that an autogenerated password must have been in use. (Update): I was successful in obtaining a firmware dump and getting /etc/config/account; however the password that worked for supervisor login was not based on autogenpassword with my serial number or MAC address. Instead it was a 10 character password with a-z0-9 alphabet. Reviewing the source some more I noticed that autogenpassword was only called when the service was "stopped" meaning that only on a clean shutdown command. Since I only ever flipped the power switch to off that code never executed so a different default password was used and never changed.
It has a 16MB flash with uBoot and their custom zLoader followed by crippled uBoot load sequence. They added a password requirement to get to the more featured uBoot. I found threads on the internet about zynpass.c which proved very useful. Also extremely helpful was -routeur-zyxel-emg2926-q10a-de-chez-videotron/ which hints that the EMG2926 is just a nbg6716. Looking at the vendor provided source code seems to confirm this so using openwrt-18.06.2-ar71xx-nand-nbg6716-squashfs-factory.bin looks promising for going to a stock firmware. 2ff7e9595c
Comments